Device control apparatus

ABSTRACT

A device control apparatus includes a processor that operates according to software, a storage unit that stores privileged software which manages an interrupt to the processor from a device included in the device control apparatus, an OS storage unit that stores an Operation System for calling the privileged software from the storage unit when an interrupt from the device is detected during an execution of the software, a detecting unit that detects an interrupt to the Operation System from the device while the Operation System is operating on the processor, a judging unit that judges whether the Operation System has called the privileged software from the storage unit in a first predetermined time from detection of the interrupt to the Operation System from the device, and a resetting unit that resets the processor when the judging unit judges that the Operation System has not called the privileged software from the storage unit.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is based upon and claims the benefit of priority fromthe prior Japanese Patent Application No. 2006-348504, filed on Dec. 25,2006; the entire contents of which are incorporated herein by reference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a device control apparatus havingplural types of software installed thereon.

2. Description of the Related Art

Hitherto, in database systems and server machines designed for executingmission critical process, emphasis has been put on reliability orsecurity from the viewpoint of importance of the processing andconfidentiality of the data held inside. Recently, however, thereliability and security has increased their importance not only in suchgeneral computers but also in various devices such as embedded systems.

On the other hand, along with the recent downsizing trend of system LSI,there is an increasing tendency of realizing plural functions, whichhave been hitherto realized by individual and dedicated hardware, by thesoftware by embedding a processor on the system LSI. By executing pluraltypes of software on the processor in the system LSI, more functions canbe realized by one system LSI.

In this case, it is necessary to prevent leakage of a group of software(for example, confidential programs such as encrypting programs executedon a processor, and valuable programs such as media processing) whichrealizes functions hitherto realized by the hardware, like data such aspersonal information.

When plural programs operate on one processor, if one program has adefect, execution of all other programs is disturbed and the operationof the entire apparatus may be stopped. Or if a program installed, forexample, by downloading from outside is an evil or unjust program,secret information or program may be leaked outside, or may be destroyedor altered.

To solve such problems, it is necessary to control the access toresources such as memories or devices assigned to the program forrealizing each function. For example, a program or a functional unit maybe prohibited from accessing to the resources assigned to other program,or access from plural functions or programs to shared resource can beexclusively controlled. Access control mechanism and access controlinformation themselves must be protected from arbitrary manipulation.

Virtual machine technique is proposed as a means for enhancing thereliability and security by realizing the protections and executingplural functions separately. The virtual machine technique can beimplemented in various manners. According to one manner ofimplementation, a virtualization layer is provided between hardware andoperating system (OS), and plural operating systems (guest OSs) operateon the virtualization layer. The virtualization layer is generallycalled hypervisor layer. The hypervisor layer manages the resources andprovides a virtual machine which is composed of resources assigned to anindividual guest OS. As a result, the plurality of guest OSs can beexecuted in isolated state without interfering with each other. When thefunction of the hypervisor layer is realized by software, such softwareis called hypervisor.

Processors used in general computers have hardware configurationthemselves for supporting virtualization. One example thereof is atechnology proposed by Intel® Corporation in “Intel® VirtualizationTechnology Specification for the IA-32 Intel® Architecture”, [online],[searched on May 31, 2005], Internet <URL:ftp://download.intel.com/technology/computing/vptech/C97063-002.pdf>]. Aprocessor which implements the technology is provided with manyprivilege modes indicating authority of the executed program, and theprogram can transit to a higher privilege mode during an execution ofany instruction. As a result, the hardware can monitor access of theguest OS to shared resource, while the software granted with a higherprivilege mode at a time of the access can check an access content ofthe guest OS.

Another example is a technology proposed by Advanced Micro Devices, Inc.A processor which implements this technology includes a mechanism forintercepting an interrupt, and a function for generating a virtualinterrupt by software. Hence, after the hypervisor intercepts aninterrupt, the processor can manage delivery of the interrupt to a guestOS which needs the interrupt. In addition, the processor is providedwith a mechanism for monitoring the access of a guest OS to an addresstranslation table. Thus, the guest OS is prevented from rewriting theaddress translation table freely in an attempt to access a memory regionassigned to other guest OS.

However, unlike advanced processors used in server computers or generalcomputers, existing processors embedded in system LSI or SoC (System onChip) have limited functions and are not provided with functions forsupporting virtualization: Usually, these processors support only twoprivilege modes, i.e., privilege mode and non-privilege mode. Whenplural guest OSs are executed on such a processor, each guest OSoperates in the privilege mode of highest level.

When a guest OS operates on such a processor in the privilege mode ofthe highest level, the guest OS can freely use an access controlmechanism of the processor. The processor cannot protect an interruptvector table, in which instructions are stored to be executed inresponse to an interrupt request, from rewriting by the guest OS. Theguest OS can make an attack by causing troubles by ignoring an interruptof a device used by other guest OS, or returning a false reply to theinterrupt of the device.

It means that the processor cannot protect itself using software alonewhen malicious software tries to disturb the delivery of an interrupt ofa device. This is because, since the guest OS operates on the processorin the privilege mode of highest level, and the interrupt of a devicedoes not occur synchronously with the operation of the processor, if themalicious software is operating at the moment the interrupt is notifiedto the processor, the processor cannot change over the control to otherguest OS or the like.

SUMMARY OF THE INVENTION

According to one aspect of the present invention, a device controlapparatus includes a processor that operates according to software, astorage unit that stores privileged software which manages an interruptto the processor from a device included in the device control apparatus,an OS storage unit that stores an Operation System for calling theprivileged software from the storage unit when an interrupt from thedevice is detected during an execution of the software, a detecting unitthat detects an interrupt to the Operation System from the device whilethe Operation System is operating on the processor, a judging unit thatjudges whether the Operation System has called the privileged softwarefrom the storage unit in a first predetermined time from detection ofthe interrupt to the Operation System from the device, and a resettingunit that resets the processor when the judging unit judges that theOperation System has not called the privileged software from the storageunit.

According to another aspect of the present invention, a device controlapparatus includes a processor that operates according to software, astorage unit that stores privileged software which manages an interruptto the processor from a device connected to the device controlapparatus, an OS storage unit that stores an Operation System forcalling the privileged software from the storage unit when an interruptfrom the device is detected during an execution of the software, adetecting unit that detects an interrupt to the Operation System fromthe device while the Operation System is operating on the processor, ajudging unit that judges whether the Operation System has called theprivileged software from the storage unit in a first predetermined timefrom detection of the interrupt to the Operation System from the device,and a resetting unit that resets the processor when the judging unitjudges that the Operation System has not called the privileged softwarefrom the storage unit.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of an information processing apparatusaccording to a first embodiment;

FIG. 2 is a diagram of a configuration of software operating on aprocessor;

FIG. 3 is shows state transition of a timer managed by an interruptprocess monitoring device;

FIG. 4 is a flowchart of a processing procedure of the interrupt processmonitoring device;

FIG. 5 is a sequence diagram of a first example of a communicationprocedure among devices of the information processing apparatus;

FIG. 6 is a sequence diagram of a second example of the communicationprocedure among devices of the information processing apparatus;

FIG. 7 is a sequence diagram of a third example of the communicationprocedure among devices of the information processing apparatus;

FIG. 8 is a sequence diagram of a-fourth example of the communicationprocedure among devices of the information processing apparatus;

FIG. 9 is a block diagram of an interrupt process monitoring deviceaccording to modification 1 of the first embodiment.

FIG. 10 is a block diagram of an information processing apparatusaccording to modification 3 of the first embodiment;

FIG. 11 is a block diagram of an information processing apparatusaccording to modification 4 of the first embodiment;

FIG. 12 is a sequence diagram of a communication procedure among devicesof the information processing apparatus according to the modification 4of the first embodiment; and

FIG. 13 is a block diagram of an information processing apparatusaccording to modification 5 of the first embodiment.

DETAILED DESCRIPTION OF THE INVENTION

As shown in FIG. 1, an information processing apparatus 100 according toa first embodiment includes a system LSI 110, a first device 171, and asecond device 172.

The first device 171 and the second device 172 are connected to thesystem LSI 110, and are controlled by a processor 120 embedded in thesystem LSI 110. The first device 171 and the second device 172 may beprovided either in a housing of the information processing apparatus100, or outside the information processing apparatus 100. The number ofdevices connected to the information processing apparatus 100 is notlimited to two, but is arbitrary.

Each of the first device 171 and the second device 172 can be, forexample, a memory module, a hard disk drive, other external storagedevice of large capacity, a network interface, other externalcommunication device, a keyboard, a mouse, other input device used by auser for input, a display, or other external output device, but is notlimited to these.

The system LSI 110 includes a processor 120, an on-chip memory 130, aninterrupt controller 140, an interrupt process monitoring device 150, afirst device controller 161, a second device controller 162, a thirddevice controller 163, a third device 173, an on-chip bus 180 forconnecting the components, and a privileged state managing device 190.

The third device 173 is controlled by the processor 120 explained later.Similarly to the third device 173, devices controlled by the processormay be provided inside the system LSI 110.

The first device controller 161 accepts an access to the first device171 by the processor 120 or the like through the on-chip bus 180, andsends out a control signal to the first device 171 according to anaccess content. The first device controller 161 converts a signal sentfrom the first device 171 into data to be transmitted to the on-chip bus180, and transmits the data to the processor 120 or the like through theon-chip bus 180. Further, the first device controller 161 sends out aninterrupt request from the first device 171 to the interrupt controller140 to give notification to an interrupt accepting unit 125 of theprocessor 120 and the interrupt process monitoring device 150.

The second device controller 162 and the third device controller 163execute the same process as that executed by the first device controller161 except that the second device controller 162 and the third devicecontroller 163 control the second device 172 and the third device 173,respectively; therefore, the explanation thereof is not repeated.

The on-chip memory 130 stores privileged software 131, a first guest OS132, and a second guest OS 133 therein. In other words, the on-chipmemory 130 corresponds to a structure including a storage unit forstoring the privileged software 131, and an OS storage unit for storingthe first guest OS 132 and the second guest OS 133. In the firstembodiment, the privileged software 131, the first guest OS 132, and thesecond guest OS 133 are stored in one on-chip memory 130, but they maybe stored in separate storage units. The number of guest OSs stored inthe on-chip memory 130 is not limited to two, but is arbitrary.

The privileged software 131 is software for managing interrupts made bythe device. The privileged software 131 is regarded as a truly reliableunit, and is allowed to access a timer-initial-value setting unit 153 ofthe interrupt process monitoring device 150. When other guest OSreceives an interrupt request from a device while operating normally onthe processor 120, the guest OS calls the privileged software.Therefore, the privileged software 131 can manage all interrupts made bythe device(s). In the first embodiment, the privileged software 131 isexecuted immediately after the activation of the processor 120 andimmediately after the recovery of the processor from a reset withoutfail. Here, the reset means to forcibly change an instruction executedby the processor 120 to a predetermined instruction ignoring theprevious process. In the first embodiment, the reset is equivalent torewriting a content of a register, which stores an address of aninstruction of a currently-operating guest OS, process, or the like, oran address of an instruction to be fetched next, with an address of aninstruction of the privileged software.

A mechanism for assuring the reliability of the privileged software 131is not particularly specified. In the first embodiment, a read-onlyregion is provided on the on-chip memory 130, and privileged software131 is preliminarily written in this region at the time of manufacture.In other embodiment, the information processing apparatus 100 may beconnected to an authentication device, which checks through the on-chipbus 180 whether or not the privileged software 131 stored in the on-chipmemory 130 has been altered. The privileged software 131 may beactivated only when the authentication device determines that theprivileged software has not been altered.

In the first embodiment, while the privileged software 131 operates, theinformation processing apparatus 100 on which the privileged software131 operates is referred to be in a “privileged state”. When theprivileged software 131 starts operating on the processor 120, theprivileged state managing device 190 described later detects theprivileged state of the information processing apparatus 100, andnotifies a control unit 151 of the interrupt process monitoring device150. Thus, the control unit 151 of the interrupt process monitoringdevice 150 can recognize whether the information processing apparatus100 is in the privileged state or not. The control unit 151 of theinterrupt process monitoring device 150 may recognize the privilegedstate of the information processing apparatus 100 in any manner otherthan the one described above.

The privileged software 131 may restrict access to each device bysoftware, such as an OS and privileged software. In the firstembodiment, the second device 172 is controlled exclusively by the firstguest OS 132, and the third device 173 is controlled exclusively by thesecond guest OS 133.

The first guest OS 132 and the second guest OS 133 operate on theprocessor 120 described later. The first guest OS 132, the second guestOS 133, and applications operating on the OS are not permitted to accessthe interrupt process monitoring device 150.

This is because the guest OSs (for example, the first guest OS 132 andthe second guest OS 133) and application programs are not guaranteed tobe as reliable as the privileged software 131. When the guest OS orapplication program or other software is permitted to access theinterrupt process monitoring device 150 and if such software has defector malicious intent, the desired process of interrupt process monitoringdevice 150 may not be executed.

The on-chip memory 130 has a working area (not shown) to be used whenthe privileged software 131, the first guest OS 132, or the second guestOS 133 works on the processor 120 described later. The on-chip memory130 of the first embodiment includes a read-only memory (ROM) area inwhich the privileged software 131 is stored, and a random access memory(RAM) area in which the first guest OS 132 and the second guest OS 133are stored, and which includes the working area. The on-chip memory 130is not limited to such a structure, and may include any other storageunit used generally.

The privileged state managing device 190 constantly sends to the controlunit 151 of the interrupt process monitoring device 150 a signalindicating whether the information processing apparatus 100 is in theprivileged state or not. Specifically, the privileged state managingdevice 190 sends a signal indicating the privilege state to the controlunit 151 when the privileged software 131 stored in the on-chip memory130 is executed on the processor 120. The privileged state managingdevice 190 sends a signal indicating a non-privileged state to thecontrol unit 151 when software other than the privileged software 131,such as the first guest OS 132 or the second guest OS 133, is executedon the processor 120.

Desirably, the privileged state managing device 190 is implemented asthe hardware in order to avoid attack from malicious software.

The processor 120 includes a storage control unit 121, a control unit122, an operation unit 123, a processor reset control unit 124, and theinterrupt accepting unit 125. The privileged software 131, the firstguest OS 132, the second guest OS 133, and application program (notshown) operate on the processor 120.

As shown in FIG. 2, the privileged software 131 is arranged logically ina lower layer of the first guest OS 132 and the second guest OS 133. Thefirst guest OS 132 has an interrupt process routine 221, and the secondguest OS 133 has an interrupt process routine 222. The privilegedsoftware 131 has an interrupt management routine 211. In the firstembodiment, the location of the privileged software 131 is not limitedto the lower layer of the first guest OS 132 and the second guest OS133, and for example, the privileged software 131 may be disposed inparallel with the first guest OS 132 and the second guest OS 133.

Referring to FIG. 2, an example of normal processing is explained inwhich hardware included in a hardware group 201 sends a signalindicating an interrupt. Assume that the second guest OS 133 isoperating on the processor 120. When the second device 172 and the thirddevice 173 send notification of interrupts while the second guest OS 133is operating on the processor 120, the interrupt process routine 222 ofthe second guest OS 133 receives the notification. In the firstembodiment, the second device 172 is controlled exclusively by the firstguest OS 132, and the third device 173 is controlled exclusively by thesecond guest OS 133. In the example of FIG. 2, the interrupt processroutine 222 is notified of an interrupt from a device which iscontrollable by the second guest OS 133 and an interruption from adevice which is uncontrollable by the second guest OS 133.

The second guest OS 133 calls the privileged software 131 regardless ofthe controllability of the device which made the notified interrupt, andthe software operating on the processor 120 is switched from the secondguest OS 133 to the privileged software 131. Thus, the interruptmanagement routine 211 held by the privileged software 131 can recognizeall the notified interrupts.

The privileged software 131 calls a guest OS capable of controlling thedevice which sends the interrupt, and makes the called guest OS operateon the processor 120. When the privileged software 131 determines thatthe guest OS operating before the software switching has received pluralinterrupts, the privileged software 131 selects a guest OS based on apreset order of priority of interrupts, for example. In the exampleshown in FIG. 2, the privileged software 131 calls the second guest OS133 capable of controlling the third device 173. As a result, theinterrupt process routine 222 of the second guest OS 133 controls thethird device 173 according to the notification from the interruptmanagement routine 211.

Returning to FIG. 1, the control unit 122 controls an overall operationof the processor 120. The operation unit 123 performs an operationaccording to an instruction from the control unit 122.

The storage control unit 121 acquires an instruction from the on-chipmemory 130 and the like based on an instruction from the control unit122, or based on a result of operation in the operation unit 123.Further, the storage control unit 121 reads out data from, and writesdata into the on-chip memory 130. Further, the storage control unit 121accesses the devices 171 to 173 via device controllers 161 to 163,respectively.

The processor reset control unit 124, when receiving a reset requestfrom the interrupt process monitoring device 150 described later,notifies the control unit 122 of the reset request, and resets theprocessor 120 regardless of the content of the process being executed onthe processor 120.

The interrupt accepting unit 125 accepts an interrupt request of thedevices 171 to 173 sent from the interrupt controller 140. According tothe content of the interrupt, the interrupt accepting unit 125 gives aninstruction to the control unit 122 to execute an instruction stored ina predetermined location in an interrupt vector table. Thereby, thesoftware operating on the control unit 122 recognizes the generation ofthe interrupt.

Signals input to and output from the processor 120 include addresssignals and data signals supplied from the on-chip memory 130 and otherdevices through the on-chip bus 180, device interrupt notificationsignals supplied from the interrupt controller 140, and processor resetsignals supplied from the interrupt process monitoring device 150described later. Input/output ports for these signals are provided inany processor even if it does not incorporate the function forsupporting virtualization.

It means that the interrupt process monitoring device 150 and theprivileged state managing device 190 can be embedded into anyinformation processing apparatus independent of the types and thenumbers of input/output signals supported by a processor embedded in theinformation processing apparatus. In other words, any processor whichdoes not incorporate the functions for supporting the virtualization canrealize a delivery of an interrupt from a device to an appropriate guestOS, when the interrupt process monitoring device 150 and the privilegedstate managing device 190 are embedded into the information processingapparatus in the configuration as described above.

The interrupt controller 140 includes a device interrupt notificationunit 141, a device interrupt processing unit 142, and a device interruptsetting unit 143. The interrupt controller 140 is connected to theinterrupt process monitoring device 150 and the processor 120 through adedicated line for interrupts. The interrupt controller 140 can notifythe processor 120 and the interrupt process monitoring device 150 of theinterrupt requests received from the device controllers 161 to 163.

In the first embodiment, the device controllers 161 to 163 and theinterrupt controller 140 are connected through the line dedicated forinterrupts as shown in FIG. 1, but they may be connected via the on-chipbus 180. Similarly, in the first embodiment, the interrupt controller140, the processor 120, and the interrupt process monitoring device 150are connected through the line dedicated for interrupts, but they may beconnected via the on-chip bus 180.

The device interrupt setting unit 143 stores therein a setting for eachdevice concerning whether to ignore the interrupt request from thedevices 171 to 173 or not.

The device interrupt processing unit 142 is connected to the devicecontrollers 161 to 163 which control the devices 171 to 173,respectively, through the line dedicated for interrupts. The deviceinterrupt processing unit 142 receives interrupts from the devicecontrollers 161 to 163 through the dedicated line for interrupts. Thedevice interrupt processing unit 142 further includes a mechanism forchecking which device has issued an interrupt request, and a mechanismfor receiving a reply to the interrupt request, via the on-chip bus 180.

When the device interrupt processing unit 142 receives an interruptrequest, the device interrupt notification unit 141 determines whetherto ignore the interrupt request or not according to the setting storedin the device interrupt setting unit 143. On determining that theinterrupt request is not to be ignored, the device interruptnotification unit 141 notifies the processor 120 and the interruptprocess monitoring device 150 of the interrupt request.

The interrupt process monitoring device 150 includes the control unit151, a timer 152, the timer-initial-value setting unit 153, and aprocessor reset signal generating unit 154.

The timer-initial-value setting unit 153 receives an initial-valuesetting request for the timer 152 described later from the privilegedsoftware 131 operating on the processor 120. Then, thetimer-initial-value setting unit 153 notifies the control unit 151described later of the reception of the initial-value setting request,and sets an initial value of the timer 152 according to an instructionfrom the control unit 151. The initial value to be set by thetimer-initial-value setting unit 153 is a value included in theinitial-value setting request.

The timer 152 is controlled by the control unit 151. In the firstembodiment, the timer 152 is a count-down timer which monotonouslydecreases a count value from an initial value (positive value) preset bythe timer-initial-value setting unit 153 to zero. The type of the timer152 is not limited to the count-down type, and the timer 152 may be acount-up timer which monotonously increases the count value from zero toa preset initial value (positive value).

The control unit 151 includes a detecting unit 155, and a judging unit156, and controls an overall operation of the interrupt processmonitoring device 150. The control unit 151 executes processingdepending on: the interrupt notification from the interrupt controller140; whether the information processing apparatus 100 is in theprivileged state or not; the count value of the timer 152; the initialvalue of the timer preset by the timer-initial-value setting unit 153,and whether the initial-value setting request has been sent to thetimer-initial-value setting unit 153 or not. The control unit 151 holdsstate information of the interrupt process monitoring device 150.

The detecting unit 155 detects the interrupts from the devices 171 to173 based on the interrupt notification from the interrupt controller140.

The judging unit 156 judges whether the software operating on theprocessor 120 has called the privileged software 131 or not when thecount value of the timer 152 reaches zero. The judging unit 156 judgesthat the privileged software 131 has been called when it has beennotified from the timer-initial-value setting unit 153 that thetimer-initial-value setting device 153 has received atimer-initialization request from the privileged software 131 operatingon the processor 120. The detailed procedure of the judging is explainedlater.

The processor-reset-signal generating unit 154 sends a signal ofprocessor reset request to the processor reset control unit 124 of theprocessor 120 according to an instruction from the control unit 151.

The control unit 151 manages the state information of the interruptprocess monitoring device 150. As shown in FIG. 3, four states are setas the state information, i.e., stop state, ready state, running state,and pending state.

State transition occurs according to: the interrupt notification fromthe interrupt controller 140; a signal sent from the privileged statemanaging device 190 indicating whether the information processingapparatus 100 is in the privileged state or not; the operating state ofthe timer 152; and the notification of timer-initial-value settingrequest by the privileged software 131 from the timer-initial-valuesetting unit 153. Each of the states shown in FIG. 3, the statetransition, and the conditions for state transition are explained below.

In the stop state, the timer 152 is not operating, and has not beeninitialized. The control unit 151 sets the stop state as the stateinformation of the interrupt process monitoring device 150 when theinformation processing apparatus 100 is activated (transition ofreference numeral 301). Further, the control unit 151 sets the stopstate as the state information of the interrupt process monitoringdevice 150 when the processor 120 is reset as a result of the generationof the processor reset signal by the processor-reset-signal generatingunit 154 while the interrupt process monitoring device 150 is in therunning state or in the pending state (transition of reference numeral307 and reference numeral 309).

The control unit 151, when notified from the timer-initial-value settingunit 153 that the initial-value setting request of the timer 152 hasbeen sent from the privileged software 131 while the interrupt processmonitoring device 150 is in the stop state, instructs thetimer-initial-value setting unit 153 to set the initial value of thetimer 152, and sets the state information of the interrupt processmonitoring device 150 in the ready state (transition of referencenumeral 302). As a result, the initial value is set in the timer 152.The initial value is a value indicating a time allowed to pass from theinterrupt process monitoring device 150 is notified of the deviceinterrupt until the privileged software 131 starts execution on theprocessor 120. For example, if the privileged software 131 has not beencalled at the time when the timer 152 finishes counting from the initialvalue to zero, the judging unit 156 judges that the processor 120 is tobe reset.

The ready state is a state in which the timer-initial-value setting unit153 finishes setting the initial value of the timer 152, and the timer152 is ready to start counting. In the ready state, though the initialvalue of the timer 152 is set, the timer 152 has not started counting.If the control unit 151 receives a notification from thetimer-initial-value setting unit 153 that the timer-initial-valuesetting request is sent from the privileged software 131 while theinterrupt process monitoring device 150 is in one of the stop state,running state, pending state, and ready state, the control unit 151instructs the timer-initial-value setting unit 153 to set the initialvalue in the timer 152, and sets the state information of the interruptprocess monitoring device 150 in the ready state (transition ofreference numeral 302, reference numeral 305, reference numeral 308, andreference numeral 303). With the transitions indicated by referencenumeral 302, reference numeral 305, reference numeral 308, and referencenumeral 303, the initial value of the timer 152 is set.

When the control unit 151 receives a notification from the interruptcontroller 140 that the interrupt occurs while the interrupt processmonitoring device 150 is in the ready state, the control unit 151 makesthe timer 152 start counting, and sets the state information of theinterrupt process monitoring device 150 in the running state (transitionof reference numeral 304).

The running state is a state in which the timer 152 is counting down,and the count value has not reached zero. Since the time set as initialvalue has not elapsed, the processor-reset-signal generating unit 154has not generated the processor reset signal.

When the timer 152 is a count-down timer which starts counting down fromthe preset initial value as in the first embodiment, the timer 152continues to count down according to periodic input signals such asclock until the count value reaches zero.

When the judging unit 156 judges that the privileged software 131 isoperating on the processor 120 at the time the count value of the timer152 reaches zero (i.e., when the preset time has passed) while the stateinformation of the interrupt process monitoring device 150 is set to therunning state, the control unit 151 sets the state information of theinterrupt process monitoring device 150 in the pending state (transitionof reference numeral 306). The judging unit 156 can judge if theprivileged software 131 is operating on the processor or not based onthe notification which is sent from the privileged state managing device190 to indicate whether the information processing apparatus 100 is inthe privileged state or not. In the transition of reference numeral 306,the control unit 151 instructs the timer 152 to stop counting.

When the judging unit 156 judges that the privileged software 131 is notoperating on the processor 120 at the time the count value of the timer152 reaches zero while the state information of the interrupt processmonitoring device 150 is set to the running state, the control unit 151sets the state information of the interrupt process monitoring device150 in the stop state (transition of reference numeral 307). In thetransition of reference numeral 307, the control unit 151 instructs thetimer 152 to stop counting, and also instructs theprocessor-preset-signal generating unit 154 to send outprocessor-reset-request signal to the processor reset control unit 124.As a result, the processor 120 is reset.

The pending state is a state in which the generation of the processorreset signal is suppressed after the preset time has elapsed.

When the control unit 151 is notified from the timer-initial-valuesetting unit 153 that the initial-value setting request for the timer152 made by the privileged software 131 has been received, while thestate information of the interrupt process monitoring device 150 is thepending state, the state information of the interrupt process monitoringdevice 150 is set in the ready state (transition of reference numeral308), and the timer-initial-value setting unit 153 is instructed to setthe initial value in the timer 152. As a result, the initial value isset in the timer 152.

When the judging unit 156 judges that software other than the privilegedsoftware 131 is operating on the processor 120 (i.e., that theinformation processing apparatus is not in the privileged state)although the timer-initial-value setting unit 153 has not received theinitial-value setting request for the timer 152, while the stateinformation of the interrupt process monitoring device 150 is in pendingstate, the control unit 151 instructs the processor-reset-signalgenerating unit 154 to send out the processor reset signal, and sets thestate information of the interrupt process monitoring device 150 in thestop state (transition of reference numeral 309). As a result, theprocessor 120 is reset.

Processing procedure executed by the interrupt process monitoring device150 is explained below with reference to FIG. 4. In the processingprocedure shown in FIG. 4, after the information processing apparatus100 is powered on, the control unit 151 initially sets the stateinformation of the interrupt process monitoring device 150 in the stopstate (step S401).

The timer-initial-value setting unit 153 of the interrupt processmonitoring device 150 determines if the timer-initial-value settingrequest has been received or not from the privileged software 131operating on the processor 120 (step S402). On determining that therequest has not been received (No at step S402), the timer-initial-valuesetting unit 153 continues the detection process of timer-initial-valuesetting request (step S402).

On determining that the timer-initial-value setting request has beenreceived (Yes at step S402), the timer-initial-value setting unit 153notifies the control unit 151 of the reception of the initial-valuesetting request for the timer 152. In response to the notification, thecontrol unit 151 instructs the timer-initial-value setting unit 153 toset the initial value of the timer 152 (step S403). The control unit 151sets the state information of the interrupt process monitoring device150 in the ready state (step S404).

The detecting unit 155 performs a detection process of a notificationsignal indicating the interrupt of a device transmitted from theinterrupt controller 140 (step S405). When the detecting unit 155 doesnot detect the notification signal indicating the device interrupt (Noat step S405), the detecting unit 155 continues the detection process ofthe notification signal (step S405),

When the detecting unit detects the notification signal indicating thedevice interrupt (Yes at step S405), the control unit 151 instructs thetimer 152 to operate, and the timer 152 starts the operation (stepS406). In the first embodiment, the timer counts down from the initialvalue. Thus, the lapse of time from the detection of interrupt signalcan be counted.

When the control unit 151 makes the timer 152 start counting, thecontrol unit 151 sets the state information of the interrupt processmonitoring device 150 in the running state (step S407). Then, thecontrol unit 151 determines if the control unit 151 has been notifiedthat the timer-initial-value setting unit 153 has received thetimer-initial-value setting request from the privileged software 131operating on the processor 120 (step S408). If the control unit 151determines that it has been notified of the reception of thetimer-initial-value setting request by the timer-initial-value settingunit 153 (Yes at step S408), the control unit 151 instructs the timer152 to stop counting. As a result, counting of the timer 152 stops (stepS409). The control unit 151 instructs the timer-initial-value settingunit 153 to set the initial value of the timer 152 (step S403).

When the control unit 151 determines that it has not been notified ofthe reception of the timer-initial-value setting request by thetimer-initial-value setting unit 153 (No at step S408), the control unit151 determines whether a predetermined time has passed since thedetection of the notification indicating the device interrupt (stepS410). The control unit 151 can make this determination by determiningwhether the count value of the timer 152 starting from the initial valuehas reached zero or not.

On determining that the predetermined time has not passed (No at stepS410), the control unit 151 determines again whether thetimer-initial-value setting unit 153 has received the initial-valuesetting request for the timer 152 or not (step S408).

On determining that the predetermined time has passed (Yes at S410), thecontrol unit 151 makes the timer 152 stop counting (step S411).

The judging unit 156 judges if the software operating on the processor120 is the privileged software 131 or not (step S412). The judging unit156 can determine based on the signal from the privileged state managingdevice 190.

On determining that the privileged software 131 is operating on theprocessor 120 (Yes at step S412), the control unit 151 sets the stateinformation of the interrupt process monitoring device 150 in thepending state (step S413).

Afterwards, the control unit 151 determines if the timer-initial-valuesetting unit 153 has received the initial-value setting request for thetimer 152 or not from the privileged software 131 operating on theprocessor 120 (step S414). On determining that the timer-initial-valuesetting unit 153 has not received the initial-value setting request forthe timer 152 (No at step S414), the control unit 151 determines againwhether the privileged software 131 is operating on the processor 120 ornot (step S412).

On determining that the software operating on the processor 120 is notthe privileged software 131 (No at step S412), the control unit 151instructs the processor-reset-signal generating unit 154 to transmit asignal requesting processor reset to the processor reset control unit124. As a result, the processor 120 is reset (step S415).

After the processor 120 is reset, the control unit 151 sets the stateinformation of the interrupt process monitoring device 150 in the stopstate (step S401). The processes in step S402 and the subsequent stepsare executed again.

By this process, the processor 120 can be reset when the devices 171 to173 generate the interrupt request and the privileged software 131 isnot called within a predetermined time.

The process executed by components of the information processingapparatus 100 in the first embodiment is explained in detail withreference to sequence diagrams. In FIGS. 5 to 8, the length of avertical line segment indicates the lapse of time. Arrows indicatedamong the third device 173, the interrupt controller 140, the processor120, and the interrupt process monitoring device 150 show communicationexchanged among these components.

Below the box labeled as “processor 120” in FIGS. 5 to 8, the softwareoperating on the processor is shown. The third device 173 and theinterrupt controller 140 communicate with each other via the thirddevice controller 163, though not shown in the drawings. Below the boxlabeled as “interrupt process monitoring device 150”, the stateinformation of the interrupt process monitoring device 150 is shown.

FIGS. 5 to 8 show communications exchanged after the informationprocessing apparatus 100 is powered on. The initial value of the stateinformation managed by the interrupt process monitoring device 150 isthe stop state. The software operating on the processor 120 at thebeginning is the privileged software 131.

The processing procedure shown in FIGS. 5 to 8 is not a processperformed only after the information processing apparatus 100 is turnedon, and may be performed appropriately during the running of theinformation processing apparatus 100. In the processing procedure shownin FIGS. 5 to 8, the state information managed by the interrupt processmonitoring device 150 is supposed to be initially set in the stop state,but the initial state information is not limited to the stop state.

In the processing procedure shown in FIGS. 5 to 8, the interruptcontroller 140 is set so as not to ignore the interrupt notified fromthe third device controller 163.

The sequence diagram of FIG. 5 shows a case in which thetimer-initial-value setting unit 153 receives the initial-value settingrequest for the timer from the privileged software 131 within apredetermined time after the third device 173 gives a notificationindicating the interrupt.

First, the privileged software 131 operating on the processor 120transmits the initial-value-setting request for the timer 152 to thetimer-initial-value setting unit 153 of the interrupt process monitoringdevice 150 (step S501). Then, the timer-initial-value setting unit 153notifies the control unit 151 of the reception of the initial-valuesetting request. The control unit 151 instructs the timer-initial-valuesetting unit 153 to set the initial value in the timer, and thetimer-initial-value setting unit 153 sets the initial value in the timer152, accordingly. The control unit 151 changes the state information ofthe interrupt process monitoring device 150 from the stop state to theready state. This process corresponds to the process at step S402 tostep S404 shown in FIG. 4.

The privileged software 131 must set sufficient time as the initialvalue of the timer 152, so that there is enough time to transfer thecontrol over to the privileged software 131 after the first guest OS 132or the second guest OS 133 detects the interrupt. This is because, if avery short time is set as the initial value, the first guest OS 132 orthe like may not be able to call the privileged software 131 within aset time even if the first guest OS 132 or the like is not defective ormalicious. Then, the first guest OS 132 or the like may not operatenormally. On the other hand, if a very long time is set as the initialvalue, and the first guest OS 132 or the like has malicious intent, suchsoftware may be given a sufficient time for making unjust process.

When the timer-initial-value setting unit 153 can accept an arbitraryvalue as the initial value of the timer 152, the initial value to bespecified may be determined, for example, in consideration of interruptresponse time of each guest OS (i.e., time from the notification ofinterrupt till the notification to the privileged software), ordepending on the type or feature of a device (which might affect thelength of the interrupt response time).

Returning to the process, the privileged software 131 operating on theprocessor 120 calls the first guest OS 132, and changes the softwareoperating on the processor 120 to the first guest OS 132 (step S502). Asa result, the first guest OS 132 starts to operate. At this time, thenotification from the privileged state managing device 190 is changed tothe one indicating that the information processing apparatus 100 is notin the privileged state. Here, even though the notification indicatingthe privileged state/non-privileged state sent from the privileged statemanaging device 190 changes, the control unit 151 maintains the readystate as the state information of the interrupt process monitoringdevice 150, since the signal of interest in the ready state does notchange.

The third device 173 notifies the interrupt controller 140 of interruptrequest via the third device controller 163 (step S503).

After confirming that the interrupt controller 140 is set so as not toignore the interrupt notified from the third device controller 163 basedon the information stored in the device interrupt setting unit 143, theinterrupt controller 140 notifies the processor 120 of the interruptrequest (step S504).

The interrupt controller 140 also notifies the interrupt processmonitoring device 150 of the occurrence of the interrupt, substantiallysimultaneously with the notification in step S504 (step S505). As aresult, the control unit 151 of the interrupt process monitoring device150 makes the timer 152 start operation (step S506). Further, thecontrol unit 151 changes the managed state information from the readystate to the running state in response to the notification of theoccurrence of the device interrupt from the interrupt controller 140.The process after the reception of the notification of the occurrence ofinterrupt corresponds to the process at step S405 to step S407 in FIG.4.

On receiving the interrupt request from the interrupt controller 140,the interrupt accepting unit 125 of the processor 120 instructs thecontrol unit 122 to execute an instruction for the interrupt process.With this instruction, an instruction sequence being executed by thefirst guest OS 132 is forcibly changed to an instruction sequencededicated for the device interrupt. The first guest OS 132 then callsthe privileged software 131, which is previously set for thenotification of the interrupt process, so as to notify the privilegedsoftware 131 of the notification of the interrupt. As a result, thesoftware operating on the processor 131 is changed from the first guestOS 132 to the privileged software 131 (step S507). In this process, thesignal notified by the privileged state managing device 190 is changedto the one indicating that the information processing apparatus 100 isin the privileged state. The control unit 151, however, maintains therunning state as the state information of the interrupt processmonitoring device 150 since the signal monitored by the control unit 151in the running state does not change.

Different from the processor 120 in the first embodiment, in theprocessor for general computers having protection mechanism of interruptvectors, the latter half of the process shown in step S507, that is,change from the first guest OS to the privileged software, is executedforcibly by the hardware implemented in the processor. Accordingly,complete management of interrupts by the privileged software isrealized. In the first embodiment, by contrast, the processor 120 is notprovided with such a function, being a processor conventionally embeddedand used in the system LSI, SoC or the like. In such a processor, thecontrol is not transferred to the privileged software 131 unless thefirst guest OS 132 or the like calls the privileged software 131 in anexplicit manner.

The privileged software 131 notified of the occurrence of interrupt fromthe first guest OS 132 sends the timer-initial-value setting unit 153 ofthe interrupt process monitoring device 150 the initial-value-settingrequest for the timer 152 so that the timer 152 is stopped and the nextinterrupt can be detected at any time (step S508). The control unit 151instructs to stop the timer 152, and instructs the timer-initial-valuesetting unit 153 to set the initial value of the timer 152.

Here, the notification of the initial-value-setting request for thetimer 152 from the privileged software 131 is supposed to be acceptedbefore the count value of the timer 152 becomes zero. Since thetimer-initial-value setting unit 153 receives the initial-value-settingrequest within a predetermined time, the control unit 151 changes thestate information of the managed interrupt process monitoring device 150from the running state to the ready state. The process after thereception of the notification of the initial-value-setting request ofthe timer 152 corresponds to the process in steps S408, S409, S403 andS404 in FIG. 4.

The privileged software 131 operating on the processor 120 confirms theinterrupt request with the interrupt controller 140 (step S509).Further, the privileged software 131 performs processes, such astransmission/reception of signals to/from the third device 173, asnecessary, for identifying the device causing interrupt (step S510).Thus, the privileged software 131 identifies the device causinginterrupt and the software exclusively using this device or responsiblefor processing. In the processing procedure shown in FIG. 5, theidentified software is the second guest OS 133. In these processes, thesignal monitored by the control unit 151 does not change, and the stateinformation of the interrupt process monitoring device 150 managed bythe interrupt process monitoring device 150 is maintained in the readystate.

Afterwards, the privileged software 131 notifies the timer-initial-valuesetting unit 153 of the interrupt process monitoring device 150 of theinitial-value-setting request for the timer 152 (step S511). When thetimer-initial-value setting unit 153 receives the initial-value-settingrequest for the timer 152, the state information of the interruptprocess monitoring device managed by the control unit 151 is the readystate, and the signal monitored by the control unit 151 in the readystate does not change. Therefore, the state information is maintained inthe ready state.

When the privileged software 131 operating on the processor 120 callsthe second guest OS 133, the software operating on the processor 120 ischanged from the privileged software 131 to the second guest OS 133which is responsible for processing of the third device 173 (step S512).By this process, the signal notified by the privileged state managingdevice 190 changes to the one indicating that the information processingapparatus 100 is not in the privilege state. However, since the signalmonitored by the control unit 151 does not change, the state informationof the interrupt process monitoring device 150 managed by the controlunit 151 is maintained in the ready state.

In the sequence diagram show in FIG. 6, the operating software is notchanged from the first guest OS 132 to the privileged software 131 dueto trouble in the first guest OS 132. In this example, though apredetermined time has passed since the notification of the interruptrequest from the third device 173, the timer-initial-value setting unit153 does not receive the initial-value-setting request for the timer 152from the privileged software 131, and the first guest OS 132 remainsoperating.

Process in steps S601 to S606 in FIG. 6 is the same as the process insteps S501 to S506 in FIG. 5, and the explanation thereof is notrepeated.

The control unit 151 determines that the predetermined time has passedsince the reception of the notification of the occurrence of theinterruption by detecting that the count value of the timer 152 hasbecome zero (step S607). Then, the control unit 151 stops the countingof the timer 152.

During the process of step S607 in FIG. 6, the privileged state managingdevice 190 keeps sending the signal indicating that the informationprocessing apparatus 100 is not in the privileged state. Thus, thejudging unit 156 can judge that the software operating on the processor120 is not changed to the privileged software 131.

The control unit 151 of the interrupt process monitoring device 150instructs the processor-reset-signal generating unit 154 to generate aprocessor reset signal (step S608), thereby resetting the processor 120.As a result, the first guest OS 133 having a trouble can be terminatedforcibly.

After resetting the processor 120, the control unit 151 changes thestate information of the managed interrupt process monitoring device 150from the running state to the stop state. The process after detectingthat the count value of the timer 152 has become zero corresponds to theprocess at steps S410, S411, S412, S415, and S401 in FIG. 4.

The processor 120 is restarted after resetting and starts executing theprivileged software 131 (step S609). As a result, the privilegedsoftware 131 can check the interrupts not notified from the first guestOS 132.

The process in steps S610 to S613 in FIG. 6 is the same as the processin steps S509 to S512 in FIG. 5, and the explanation thereof is notrepeated.

The sequence diagram in FIG. 7 shows an example in which the controlunit 151 sets the state information of the managed interrupt processmonitoring device 150 in the pending state in order to prevent unstableoperations at a time the software operating on the processor 120changes. In the example, though the operating software is changed fromthe first guest OS 132 to the privileged software 131, the privilegedsoftware 131 sends the initial-value-setting request for the timer 152to the timer-initial-value setting unit 153 late. As a result, apredetermined time passes after the notification of the interrupt fromthe third device 173.

The process in steps S701 to S706 in FIG. 7 is the same as the processin steps S501 to S506 in FIG. 5, and the explanation thereof is notrepeated.

When the first guest OS 132 operating on the processor 120 calls theprivileged software 131, the software operating on the processor 120 ischanged from the first guest OS 132 to the privileged software 131 (stepS707). Process of software changing is the same as that explained withreference to FIG. 5, and the explanation thereof is not repeated.

Though the software operating on the processor 120 is changed from thefirst guest OS 132 to the privileged software 131, the count value ofthe timer 152 reaches zero before the privileged software 131 sends theinitial-value-setting request for the timer 152 to thetimer-initial-value setting unit 153. As a result, the control unit 151determines that the predetermined time has passed since the occurrenceof interrupt (step S708). Then the control unit 151 instructs the timer152 to stop operation. These processes correspond to steps S410 to S411in FIG. 4.

The control unit 151 can recognize that the information processingapparatus 100 is in the privileged state, i.e., that the privilegedsoftware 131 is operating on the processor, based on the notificationfrom the privileged state managing device 190.

Accordingly, the control unit 151 changes the state information of theinterrupt process monitoring device 150 managed by the control unit 151from the running state to the pending state. In the pending state, thecontrol unit 151 does not give a processor-reset-signal generationrequest to the processor-reset-signal generating unit 154. Theseprocesses correspond to steps S412 to S413 in FIG. 4.

The privileged software 131 notified of the occurrence of interrupt bythe first guest OS 312 sends the initial-value-setting request for thetimer 152 to the timer-initial-value setting unit 153 (step S709). Thecontrol unit 151 is notified of the reception of the request by thetimer-initial-value setting unit 153, and instructs thetimer-initial-value setting unit 153 to set the initial value of thetimer 152 as well as changes the state information of the managedinterrupt process monitoring device 150 from the pending state to theready state.

The process in steps S710 to S713 in FIG. 7 is the same as the processin steps S509 to S512 in FIG. 5, and the explanation thereof is notrepeated.

The sequence diagram in FIG. 8 shows an example in which after the stateinformation of the interrupt process monitoring device 150 managed bythe control unit 151 is set to the pending state, the first guest OS 132does not call the privileged software 131 in a predetermined manner tonotify the interruption, in other words, the first guest OS 132 performsan unjust operation, and the privileged software 131 does not requestthe initial value setting of the timer 152 to the timer-initial-valuesetting unit 153. In the example, though the software operating on theprocessor 120 is changed from the first guest OS 132 to the privilegedsoftware 131 after the notification of the interrupt from the thirddevice 173, the software operating on the processor 120 is changed againfrom the privileged software 131 to the first guest OS 132 before therequest is sent for the initial value setting of the timer 152.

The process in steps S801 to S806 in FIG. 8 is the same as the processin steps S501 to S506 in FIG. 5, and the explanation thereof is notrepeated.

The first guest OS 132 operating on the processor 120 does not notifythe occurrence of the interrupt to the privileged software 131 in amanner of privileged calling which is predetermined for the notificationof the interrupt process, though the first guest OS 132 recognizes theoccurrence of the interrupt. Instead, the first guest OS 132 calls theprivileged software 131 by performing a privileged calling in adifferent manner. The reason why the first guest OS 132 performs suchprocessing can be that the first guest OS 132 is malicious or that thefirst guest OS 132 has some trouble.

As a result, the software operating on the processor 120 is changed fromthe first guest OS 132 to the privileged software 131 (step S807). Thesignal sent from the privileged state managing device 190 to indicatewhether the information processing device 100 is in the privileged stateor not is changed to a signal indicating the privileged state becausethe privileged software 131 is operating.

Then, suppose that the count value of the timer 152 reaches zero. As aresult, the control unit 151 determines that the predetermined time haspassed since the occurrence of interrupt (step S808). Therefore thecontrol unit 151 instructs the timer 152 to stop operation. Theseprocesses correspond to steps S410 to S411 in FIG. 4.

At this time, the control unit 151 can recognize that the informationprocessing apparatus 100 is in the privileged state, in other words,that the privileged software 131 is operating on the processor 120,based on the notification from the privileged state managing device 190.

Accordingly, the control unit 151 changes the state information of themanaged interrupt process monitoring device 150 from the running stateto the pending state. These processes correspond to steps S412 to S413in FIG. 4.

Though the privileged software 131 is called by the first guest OS 132,the calling is not for notifying the interrupt process. Therefore, theprivileged software 131 does not request initial value setting of thetimer 152 to the timer-initial-value setting unit 153, and returns theprocess to the first guest OS 132 on finishing the called process (stepS809).

When the software operating on the processor 120 is changed from theprivileged software 131 to the first guest OS 132, the signal sent fromthe privileged state managing device 190 to indicate whether theinformation processing apparatus 100 is in the privilege state or not ischanged to the one indicating that the information processing apparatus100 is not in the privilege state, and the control unit 151 canrecognize that the information processing apparatus 100 is not in theprivilege state. This process corresponds to the process in step S412 inFIG. 4.

After recognizing that the information processing apparatus 100 is notin the privileged state, the control unit 151 instructs theprocessor-reset-signal generating unit 154 to generate a processor resetsignal, and the processor-reset-signal generating unit 154 generates aprocessor reset signal (step S810). As a result, the processor 120 isreset.

After the reset of the processor 120, the control unit 151 changes thestate information of the managed interrupt process monitoring device 150from the pending state to the stop state. The process after theinstruction with the processor reset signal corresponds to the processin steps S415 and S401 in FIG. 4.

In the processing procedure shown in FIG. 8, since the pending stateexists as the state information of the interrupt process monitoringdevice 150 managed by the control unit 151, even if the time has passedlonger than the predetermined time, the processor 120 can be resetsecurely without overlooking troubles occurring in the first guest OS132 or the second guest OS 133.

The processor 120 is restarted after the reset, and starts executing theprivileged software 131 (step S811). As a result, the privilegedsoftware 131 can check an interrupt not notified from the first guest OS132.

The process in steps S812 to S815 in FIG. 8 is the same as the processfrom steps S509 to S512 in FIG. 5, and the explanation thereof is notrepeated.

By this processing procedure, even if the occurrence of interruptinduced by the devices 171 to 173 is not notified to the privilegedsoftware 131 due to malicious intent or defect of the guest OS, theprocessor 120 is reset by the interrupt process monitoring device 150 ina predetermined time. Further, since the privileged software 131 isexecuted when the processor 120 is restarted, the privileged software131 can check occurred interrupts.

The privileged software 131 performs management so that the softwaresuch as the guest OS that causes the processor 120 to be reset is notexecuted. When the privileged software 131 manages in this manner, theinformation processing apparatus 100 can operate safely without theguest OS which causes the reset even when the guest OS is malicious ordefective.

Conventionally, the delivery of the device interrupt to the correctguest OS or the correct program cannot be performed without theprocessor provided with functions for supporting the virtualization. Inthe first embodiment, however, even when the system LSI is configuredfor the embedded devices with the use of the processor not provided withthe functions for supporting virtualization, the delivery can berealized with an additional hardware without any modification to theprocessor.

The invention is not limited to the above embodiment, and variousmodifications are possible as illustrated below.

In the first embodiment, the timer 152 is a count-down timer whichcounts down from the preset initial value to zero. The timer used forcounting the time elapsed since the occurrence of device interrupt isnot limited to the count-down timer. In modification 1 of the firstembodiment, an up-counter is used. The structure of the modification 1is the same as that of the first embodiment except for the structure ofthe interrupt process monitoring device, and the explanation thereof isnot repeated.

As shown in FIG. 9, an interrupt process monitoring device 910 in themodification 1 of the first embodiment is similar to the interruptprocess monitoring device 150 in the first embodiment, except that thetimer-initial-value setting unit 153 is eliminated, that atimer-maximum-value setting unit 911 is added, that the timer 152 isreplaced with a timer 912 which performs a different process from theprocess of the timer 152, and that the control unit 151 is replaced witha control unit 913 which performs a different process from the processof the control unit 913. The structure of the interrupt processmonitoring device 910 of the modification 1 which is the same as thestructure of the interrupt process monitoring device 150 is notexplained again.

The timer-maximum-value setting unit 911 receives a maximum-valuesetting request of the timer 912 described later from the privilegedsoftware 131. The timer-maximum-value setting unit 911 notifies thecontrol unit 913 of reception of the maximum-value setting request forthe timer 912, and sets the maximum value in the timer 912 according tothe instruction from the control unit 913. The maximum value set by thetimer-maximum-value setting unit 911 is an arbitrary value included inthe maximum-value setting request.

The timer 912 is controlled by the control unit 913. In the modification1, the timer 912 is an up-counter-type timer which monotonouslyincreases the count value from zero to the maximum value (positivevalue) previously set by the timer-maximum-value setting unit 911.

The control unit 913 monitors the count value of the timer 912, anddetermines if the count value of the timer 912 has become equal to themaximum value set by the maximum value setting unit 911 or not.

In line with the modification of the interrupt process monitoring device150, the signal transmitted from the processor 120 is modified from theinitial-value setting request of the first embodiment to themaximum-value setting request. The transmission timing of maximum-valuesetting request is the same as that of the initial-value setting requestin the first embodiment, and the explanation thereof is not repeated.

When notified of the reception of the maximum-value setting request fromthe timer-maximum-value setting unit 911, the control unit 913 sets thestate information of the interrupt process monitoring device 910 in theready state. Here, the ready state is a state in which the maximum valueof the timer 912 is set by the timer-maximum-value setting unit 911, andthe timer 912 is ready to start counting. Other transitions andprocesses are the same as in the ready state in the first embodiment,and the explanation thereof is not repeated.

In the running state, the timer 912 has started counting up, but thecount value has not reached the maximum value. That is, the timer 912 ofthe modification 1 counts up from zero up to the maximum value accordingto periodic input signals such as clock. Other transitions and processesare the same as in the running state in the first embodiment, and theexplanation thereof is not repeated.

In the stop state and the pending state, when the control unit 913 isnotified that the timer-maximum-value setting unit 911 receives themaximum-value setting request for the timer 912 from the privilegedsoftware 131, the control unit 913 sets the state information of theinterrupt process monitoring device 910 in the ready state. Other thanthat, the modification 1 is the same as the first embodiment and theexplanation thereof is not repeated.

The first embodiment and the modification 1 are not intended to limitthe timer of the interrupt process monitoring device to the up-counteror down-counter, and various other counters may be similarly used.

In the interrupt process monitoring device 150 in the first embodiment,the initial value set in the timer 152 is an arbitrary value included inthe initial-value setting request transmitted from the privilegedsoftware 131. Alternatively, however, the initial value to be set maynot be included in the initial-value setting request transmitted fromthe privileged software 131, and an initial value preliminarily writtenin a ROM or the like at the time of manufacture or shipment may be usedand set. In modification 2 of the first embodiment, the initial value ispreliminarily written in the ROM or the like at the time of manufactureor shipment.

When the initial value is written in the ROM or the like as in themodification 2, later change of initial value can be prevented, and theinformation processing apparatus 100 can be protected from intentionalattack using a false initial value for the timer 152. The structure andprocessing of an information processing apparatus of the modification 2are the same as those in the first embodiment, and the explanationthereof is not repeated.

In the modification 2, the timer is a count-down timer and the initialvalue is written preliminarily, but what is written into the ROM is notlimited to the initial value. For example, when an up-counter is used asthe timer, the maximum value may be preliminarily written in the ROM orthe like.

In the first embodiment, the interrupt controller 140 is responsible fornotifying the interrupt process monitoring device 150 and the processor120 of the occurrence of interruption. The first embodiment, however, isnot intended to limit the notification of device interrupt transmittedto the interrupt process monitoring device 150 to the notification fromthe interrupt controller 140.

In modification 3 of the first embodiment, the device controllers 161 to163 directly transmit the notification of the occurrence of interrupt tothe interrupt process monitoring device 150. As shown in FIG. 10, in thededicated line connecting the device controllers 161 to 163 and theinterrupt controller 140, a dedicated line 1001 branched off in themiddle of the route is connected to the interrupt process monitoringdevice 150.

Accordingly, the structure is modified so that a line 1002 dedicated fornotifying the occurrence of interrupt from the interrupt controller 140is connected only to the processor 120. A system LSI 1010 is similar tothe system LSI 110 of the first embodiment except for the structure ofthe dedicated line 1001 and the dedicated line 1002, and the explanationthereof is not repeated.

When any of the devices generates an interrupt, the device controllers161 to 163 directly notify the interrupt controller 140 and the controlunit 151 of the interrupt process monitoring device 150 of theoccurrence of interruption. As a result, the detecting unit 155 candetect the interrupt based on the notification directly sent from thedevice controllers 161 to 163.

In the first embodiment, the interrupt controller 140 notifies theinterrupt process monitoring device 150 and the processor 120 of theoccurrence of interrupt. However, it is not necessary for thenotification signal indicating the occurrence of interrupt to betransmitted through the interrupt controller 140. In modification 4 ofthe first embodiment, therefore, the interrupt controller 140 is notused.

As shown in FIG. 11, an information processing apparatus 1100 in themodification 4 is similar to the information processing apparatus 100 inthe first embodiment, except for that the interrupt controller 140 iseliminated. In the following explanation, common elements of the firstembodiment and the modification 4 are identified with same referencenumerals, and the explanation thereof is not repeated.

As shown in FIG. 11, in the information processing apparatus 1100 of themodification 4, the device controllers 161 to 163 are connected to theprocessor 120 and the interrupt process monitoring device 150 viadedicated lines. Hence, the device controllers 161 to 163 can directlytransmit the notification of the occurrence of interrupt to theprocessor 120 and the interrupt process monitoring device 150. As aresult, the detecting unit 155 can detect the interruption based on thenotification directly sent from the device controllers 161 to 163.

The process executed by the components of the information processingapparatus 1100 in the modification 4 is similar to the process executedby the components of the information processing apparatus 100 in thefirst embodiment, except that the interruption notification is sentdirectly from the device to the processor 120 and the interrupt processmonitoring device 150 without passing through the interrupt controller140, and that the privileged software 131, the first guest OS 132, andthe second guest OS 133 confirm the interrupt not with the interruptcontroller 140 but directly with the device.

In the following, an example is explained where the first guest OS 132notifies the privileged software 131 of the occurrence of the interruptwithin a predetermined time after the third device 173 makes aninterrupt.

FIG. 12 shows an example where after the notification indicating theinterrupt sent from the third device 173 is accepted, thetimer-initial-value setting unit 153 of the interrupt process monitoringdevice 150 receives the initial-value setting request of the timer 152from the privileged software 131 within a predetermined time. As shownin FIG. 12, communications are made between and among the third device173, the processor 120, and the interrupt process monitoring device 150.

Steps S1201 to S1202 in FIG. 12 are the same as steps S501 to S502 inFIG. 5, and the explanation thereof is not repeated.

The third device 173 notifies the interrupt request to the first guestOS 132 operating on the processor 120 by way of the third devicecontroller 163 (step S1203). Further, the third device 173 notifies theoccurrence of interrupt to the interrupt process monitoring device 150substantially simultaneously with the notification at step S1203 (stepS1204).

Steps S1205 to S1207 in FIG. 12 are the same as steps S506 to S508 inFIG. 5, and the explanation thereof is not repeated.

The privileged software 131 on the processor 120 confirms the interruptrequest with the third device 173 (step S1208). Thus, the privilegedsoftware 131 confirms the interrupt request with each connected device,whereby the privileged software 131 can identify the device which madethe interrupt request.

Steps S1209 to S1210 in FIG. 12 are the same as steps S511 to S512 inFIG. 5, and the explanation thereof is not repeated.

When the first guest OS 132 does not notify the occurrence of theinterrupt to the privileged software 131 within a predetermined timeafter the third device 173 made the interrupt, and the softwareoperating on the processor 120 is not changed, the same processingprocedure as that in the first embodiment shown in FIGS. 6 to 8 isperformed except for the notification of interrupt from the third device173 shown in FIG. 12, and the confirmation of interrupt by the processor120, and the explanation is not repeated.

In the first embodiment, the device controllers 161 to 163 are directlyconnected to the on-chip device 180 or the interrupt controller 140. Insuch a case, however, the guest OS operating on the processor 120 in aprivilege mode of the highest level can attack the apparatus by makingan unjust access so as to make a device make an interrupt, for example.In modification 5 of the first embodiment, therefore, the access fromthe software such as the guest OS to the device is finely controlled forthe protection of the device.

As shown in FIG. 13, an information processing apparatus 1300 of themodification 5 is similar to the information processing apparatus 100 inthe first embodiment, except that device access control devices 1321 to1323 are added, that a protected region 1340 is added, and that theprivileged state managing device 190 is replaced with a privileged statemanaging device 1330 which performs a different process from the processof the privileged state managing device 190. In the followingexplanation, the same elements as in the first embodiment are identifiedwith same reference numerals, and the explanation thereof is notrepeated.

The privileged state managing device 1330 sends a signal indicatingwhether the information processing apparatus 1300 is in the privilegedstate or not, to the device access control devices 1321 to 1323 and theprotected region 1340. The privileged state managing device 1330notifies the interrupt process monitoring device 150, similarly to theprivileged state managing device 190 in the first embodiment. Thenotification to the interrupt process monitoring device 150 is the sameas that in the first embodiment, and the explanation thereof is notrepeated. Thus, the information processing apparatus 1300 can limit thewriting to setting information held in the device access control devices1321 to 1323 to only a time when the information processing apparatus1300 is in the privileged state, in other words, only when theprivileged software 131 is operating. The information processingapparatus 1300 can limit the reading or writing process on the protectedregion 1340 only to a time when the information processing apparatus1300 is in the privileged state, that is, only when the privilegedsoftware 131 is operating.

The protected region 1340 is a storage region where only the privilegedsoftware 131 is allowed to access. The protected region 1340 is astorage unit which stores information for managing the device, and canbe configured with any storage unit generally used, such as RAM (randomaccess memory).

The protected region 1340 stores setting data used in the device accesscontrol devices 1321 to 1323 described later. If the protected region1340 receives a writing request while it is notified from the privilegedstate managing device 1330 that the information processing apparatus1300 is in the privileged state, the protected region 1340 permits thewriting request, assuming that the writing request is made by theprivileged software 131.

The privileged software 131 reads out device access control informationwhich is stored in the protected region 1340 and to be set in the deviceaccess control devices 1321 to 1323. The privileged software 131 setsthe device access control devices 1321 to 1323 by using the deviceaccess control information read out.

The device access control information includes information indicatingthat the first guest OS 132 can access the first device 171, and thesecond guest OS 133 cannot access the first device 171, for example.

The first device access control device 1321 is connected to the firstdevice controller 161 and the privileged state managing device 1330. Thefirst device access control device 1321 determines whether each of theguest OSs is allowed to access the first device 171 or not according tothe stored setting. On determining that the guest OS is allowed toaccess, the first device access control device 171 transmits datasupplied from the guest OS, or transmits data to the guest OS. Since thefirst device access control device 1321 controls the access by the guestOS to the device as described above, the security can be enhanced.

Further, the first device access control device 1321 accepts a settingchange request only when the request is sent from the privilegedsoftware 131. The first device access control device 1321 determineswhether the access is from the privileged software 131 or not based onthe notification from the privileged state managing device 1330indicating whether the information processing apparatus 1300 is in theprivileged state or not. As a result, it is possible to protect thefirst device access control device 1321 from the guest OS operating inthe privilege mode of the highest level on the processor 120, andrewrite of setting of the first device access control device 1321 can beprevented.

The second device access control device 1322 is similar to the firstdevice access control device 1321 except that it is connected to thesecond device controller 162, and the explanation thereof is notrepeated. The third device access control device 1323 is similar to thefirst device access control device 1321 except that it is connected tothe third device controller 163, and the explanation thereof is notrepeated.

In the modification 5, the device access control devices and the devicecontrollers are separate units, but they may be assembled in a singleunit.

In the modification 5, only the privileged software 131 can rewrite thecontent of the setting of the device access control devices 1321 to 1323stored in the protected region 1340. Further, only the privilegedsoftware 131 can rewrite the information for the device access controlstored in the protected region 1340. Hence, the information processingapparatus 1300 can be firmly protected from attacks by malicioussoftware.

The information processing apparatus 1300 of the modification 5 with theabove-described configuration can protect control data for the deviceaccess control devices 1321 to 1323 from malicious software. Hence, thesafety of the information processing apparatus 1300 can be furtherenhanced.

Thus, the device control apparatus of the invention is useful for thetechnology for changing over the guest OSs appropriately in the casewhere an interrupt occurs from an arbitrary device during operation by aplurality of guest OSs.

Additional advantages and modifications will readily occur to thoseskilled in the art. Therefore, the invention in its broader aspects isnot limited to the specific details and representative embodiments shownand described herein. Accordingly, various modifications may be madewithout departing from the spirit or scope of the general inventiveconcept as defined by the appended claims and their equivalents.

1. A device control apparatus comprising: a processor that operatesaccording to software; a storage unit that stores privileged softwarewhich manages an interrupt to the processor from a device included inthe device control apparatus; an OS storage unit that stores anOperation System for calling the privileged software from the storageunit when an interrupt from the device is detected during an executionof the software; a detecting unit that detects an interrupt to theOperation System from the device while the Operation System is operatingon the processor; a judging unit that judges whether the OperationSystem has called the privileged software from the storage unit in afirst predetermined time from detection of the interrupt to theOperation System from the device; and a resetting unit that resets theprocessor when the judging unit judges that the Operation System has notcalled the privileged software from the storage unit.
 2. The apparatusof claim 1, further comprising: a time counting unit that counts untilthe first predetermined time elapses when the interrupt is detected,wherein the judging unit judges whether the Operation System calls theprivileged software or not after the time counting unit has counted thefirst predetermined time.
 3. The apparatus of claim 1, wherein theprivileged software sends a start notification to the judging unit toindicate that the privileged software starts an operation when theprivileged software starts the operation on the processor in response tothe call from the Operation System, and the judging unit judges that theOperation System calls the privileged software when receiving the startnotification.
 4. The apparatus of claim 3, further comprising: aprivilege judging unit that judges if software operating on theprocessor is the privileged software or not, wherein the judging unit,when the privilege judging unit judges that the software operating onthe processor is the privileged software even though the startnotification is not received, after the first predetermined time haspassed, judges again whether the Operation System has called theprivileged software before a second predetermined time passes after thelapse of the first predetermined time.
 5. The apparatus of claim 4,wherein the judging unit judges that the Operation System has not calledthe privileged software, when the start notification is not receivedafter lapse of the second predetermined time, and when the privilegejudging unit judges that the software operating on the processor is notthe privileged software.
 6. The apparatus of claim 1, wherein theOperating System stored in the OS storage unit calls the privilegedsoftware as the software operating on the processor when the OperatingSystem detects an interrupt of the device while operating on theprocessor, no matter whether the Operating System can control the deviceor not.
 7. The apparatus of claim 1, further comprising: an interruptcontrol unit that determines whether to ignore an interrupt or not whenreceiving the interrupt from the device, and that outputs the interruptto the processor when determining not to ignore.
 8. The apparatus ofclaim 7, wherein the interrupt control unit further outputs theinterrupt to the detecting unit when determining not to ignore theinterrupt received from the device.
 9. The apparatus of claim 1, furthercomprising: an access control unit that controls an access to the deviceby each of Operating Systems operating on the processor, according tosetting information set by the privileged software, the settinginformation indicating whether the Operating System can access thedevice or not.
 10. A device control apparatus comprising: a processorthat operates according to software; a storage unit that storesprivileged software which manages an interrupt to the processor from adevice connected to the device control apparatus; an OS storage unitthat stores an Operation System for calling the privileged software fromthe storage unit when an interrupt from the device is detected during anexecution of the software; a detecting unit that detects an interrupt tothe Operation System from the device while the Operation System isoperating on the processor; a judging unit that judges whether theOperation System has called the privileged software from the storageunit in a first predetermined time from detection of the interrupt tothe Operation System from the device; and a resetting unit that resetsthe processor when the judging unit judges that the Operation System hasnot called the privileged software from the storage unit.
 11. Theapparatus of claim 10, further comprising: a time counting unit thatcounts the first predetermined time when the interrupt is detected,wherein the judging unit judges whether the Operation System calls theprivileged software or not after the time counting unit has counted thefirst predetermined time.
 12. The apparatus of claim 10, wherein theprivileged software sends a start notification to the judging unit toindicate that the privileged software starts an operation when theprivileged software starts the operation on the processor in response tothe call from the Operation System, and the judging unit judges that theOperation System calls the privileged software when receiving the startnotification.
 13. The apparatus of claim 12, further comprising: aprivilege judging unit that judges if software operating on theprocessor is the privileged software or not, wherein the judging unit,when the privilege judging unit judges that the software operating onthe processor is the privileged software even though the startnotification is not received, after the first predetermined time haspassed, judges again whether the Operation System has called theprivileged software before a second predetermined time passes after thelapse of the first predetermined time.
 14. The apparatus of claim 13,wherein the judging unit judges that the Operation System has not calledthe privileged software, when the start notification is not receivedafter lapse of the second predetermined time, and when the privilegejudging unit judges that the software operating on the processor is notthe privileged software.
 15. The apparatus of claim 10, wherein theOperating System stored in the OS storage unit calls the privilegedsoftware as the software operating on the processor when the OperatingSystem detects an interrupt of the device while operating on theprocessor, no matter whether the Operating System can control the deviceor not.
 16. The apparatus of claim 10, further comprising: an interruptcontrol unit that determines whether to ignore an interrupt or not whenreceiving the interrupt from the device, and that outputs the interruptto the processor when determining not to ignore.
 17. The apparatus ofclaim 16, wherein the interrupt control unit further outputs theinterrupt to the detecting unit when determining not to ignore theinterrupt received from the device.
 18. The apparatus of claim 10,further comprising: an access control unit that controls an access tothe device by each of Operating Systems operating on the processor,according to setting information set by the privileged software, thesetting information indicating whether the Operating System can accessthe device or not.